Sign up to receive free email alerts when patent applications with chosen keywords are publishedSIGN UP

Abstract:

A new trapdoor one-way function is provided. In a general sense, some
quadratic algebraic integer z is used. One then finds a curve E and a
rational map defining [z] on E. The rational map [z] is the trapdoor
one-way function. A judicious selection of z will ensure that [z] can be
efficiently computed, that it is difficult to invert, that determination
of [z] from the rational functions defined by [z] is difficult, and
knowledge of z allows one to invert [z] on a certain set of elliptic
curve points.

Claims:

1. A method of generating a digital signature, the method comprising:
obtaining a plurality of messages; generating a plurality of elliptic
curve points by applying a hash function to each of the plurality of
messages and converting each hash to a respective one of the plurality of
elliptic curve points; generating a summed elliptic curve point by adding
together the plurality of elliptic curve points; and generating the
digital signature by applying an inverse of an endomorphism to the summed
elliptic curve point.

2. The method of claim 1, the endomorphism corresponding to a quadratic
algebraic integer z that satisfies z2+uz+v=0, where u and v are
secret integers, and v is relatively prime to n.

3. The method of claim 2, the endomorphism being a public key operation
having a corresponding private key operation [-w]([u]+[z]), where w is an
integer, wv=1 mod n, [-w] is an endomorphism corresponding to -w, and [u]
is an endomorphism corresponding to u.

4. The method of claim 2, said integer z being a complex number having
real and imaginary components.

5. The method of claim 1, the endomorphism being represented as a
rational map.

6. The method of claim 1, further comprising enabling at least one of the
plurality of messages to be changed.

7. A non-transitory computer readable medium comprising computer
executable instructions for generating a digital signature, the computer
executable instructions comprising instructions for: obtaining a
plurality of messages; generating a plurality of elliptic curve points by
applying a hash function to each of the plurality of messages and
converting each hash to a respective one of the plurality of elliptic
curve points; generating a summed elliptic curve point by adding together
the plurality of elliptic curve points; and generating the digital
signature by applying an inverse of an endomorphism to the summed
elliptic curve point.

8. A cryptographic module comprising a processor and memory, the memory
storing computer executable instructions for generating a digital
signature by operating the processor to: obtain a plurality of messages;
generate a plurality of elliptic curve points by applying a hash function
to each of the plurality of messages and converting each hash to a
respective one of the plurality of elliptic curve points; generate a
summed elliptic curve point by adding together the plurality of elliptic
curve points; and generate the digital signature by applying an inverse
of an endomorphism to the summed elliptic curve point.

9. The cryptographic module of claim 8, the endomorphism corresponding to
a quadratic algebraic integer z that satisfies z2+uz+v=0, where u
and v are secret integers, and v is relatively prime to n.

10. The cryptographic module of claim 9, the endomorphism being a public
key operation having a corresponding private key operation [-w]([u]+[z]),
where w is an integer, wv=1 mod n, [-w] is an endomorphism corresponding
to -w, and [u] is an endomorphism corresponding to u.

11. The cryptographic module of claim 9, said integer z being a complex
number having real and imaginary components.

12. The cryptographic module of claim 8, the endomorphism being
represented as a rational map.

13. The cryptographic module of claim 8, further comprising computer
executable instructions for operating the processor to enable at least
one of the plurality of messages to be changed.

14. A method of verifying a digital signature, the method comprising:
receiving a plurality of messages and a digital signature of the
plurality of messages; generating a plurality of elliptic curve points by
applying a hash function to each of the plurality of messages and
converting each hash to a respective one of the plurality of elliptic
curve points; generating a summed elliptic curve point by adding together
the plurality of elliptic curve points; and verifying the digital
signature if the summed elliptic curve point is equivalent to a value
obtained by applying an endomorphism to the digital signature.

15. The method of claim 14, the endomorphism corresponding to a quadratic
algebraic integer z that satisfies z2+uz+v=0, where u and v are
secret integers, and v is relatively prime to n.

16. The method of claim 15, the endomorphism being a public key operation
having a corresponding private key operation [-w]([u]+[z]), where w is an
integer, wv=1 mod n, [-w] is an endomorphism corresponding to -w, and [u]
is an endomorphism corresponding to u.

17. The method of claim 15, said integer z being a complex number having
real and imaginary components.

18. The method of claim 14, the endomorphism being represented as a
rational map.

19. The method of claim 14, further comprising enabling at least one of
the plurality of messages to be changed.

20. A non-transitory computer readable medium comprising computer
executable instructions for verifying a digital signature, the computer
executable instructions comprising instructions for: receiving a
plurality of messages and a digital signature of the plurality of
messages; generating a plurality of elliptic curve points by applying a
hash function to each of the plurality of messages and converting each
hash to a respective one of the plurality of elliptic curve points;
generating a summed elliptic curve point by adding together the plurality
of elliptic curve points; and verifying the digital signature if the
summed elliptic curve point is equivalent to a value obtained by applying
an endomorphism to the digital signature.

21. A cryptographic module comprising a processor and memory, the memory
storing computer executable instructions for verifying a digital
signature by operating the processor to: receive a plurality of messages
and a digital signature of the plurality of messages; generate a
plurality of elliptic curve points by applying a hash function to each of
the plurality of messages and converting each hash to a respective one of
the plurality of elliptic curve points; generate a summed elliptic curve
point by adding together the plurality of elliptic curve points; and
verify the digital signature if the summed elliptic curve point is
equivalent to a value obtained by applying an endomorphism to the digital
signature.

22. The cryptographic module of claim 21, the endomorphism corresponding
to a quadratic algebraic integer z that satisfies z2+uz+v=0, where u
and v are secret integers, and v is relatively prime to n.

23. The cryptographic module of claim 22, the endomorphism being a public
key operation having a corresponding private key operation [-w]([u]+[z]),
where w is an integer, wv=1 mod n, [-w] is an endomorphism corresponding
to -w, and [u] is an endomorphism corresponding to u.

24. The cryptographic module of claim 22, said integer z being a complex
number having real and imaginary components.

25. The cryptographic module of claim 21, the endomorphism being
represented as a rational map.

26. The cryptographic module of claim 21, further comprising computer
executable instructions for operating the processor to enable at least
one of the plurality of messages to be changed.

Description:

CROSS-REFERENCE TO RELATED APPLICATIONS

[0001] This application is a continuation of U.S. patent application Ser.
No. 12/945,234 filed on Nov. 12, 2010, which is a continuation of U.S.
patent application Ser. No. 11/272,152 filed on Nov. 14, 2005 (issued on
Nov. 30, 2010 as U.S. Pat. No. 7,844,051), which claims priority from PCT
Application No. PCT/IB2004/003700 filed on Nov. 11, 2004 and U.S.
Provisional Patent Application No. 60/626,884 filed Nov. 12, 2004, the
contents of all of the above-noted applications being incorporated herein
by reference.

[0003] A trapdoor one-way function (TOWF) is a publicly computable
function, which only one entity can invert. A special secret, called a
private key, is required to compute the inverse of TOWF.

[0004] The classic example of a TOWF is the RSA function based on the
relationship Med≡M (mod N). The public RSA function w is
computed as follows: W(x)=xe mod N. The numbers e and N are public
values. The number N is chosen to be a product of two secret distinct
primes p and q. Inverting the RSA function with the private key operation
w, can be done as follows: W-1(y)=yd mod N, where d=(1/e) mod
(p-1)(q-1) and is the private key.

[0005] Inverting the RSA function without the private key is believed to
be a hard problem. Factoring N to obtain the primes p, q is
computationally infeasible for large values of N and therefore the
private key w=(p-1)(q-1) also maintains secrecy. In fact, the security of
much of the online banking currently done depends on the RSA function
being hard to invert without the private key. In other words, the world
generally believes that the RSA function is a TOWF.

[0006] As a TOWF, the RSA function can be used as the basis of a
cryptosystem that performs both digital signatures and public-key
encryption. To digitally sign a message M with a trapdoor one-way
function W one computes S=W-1(H(M)) using the private key operation
W-1 and a public hash function H. The hash function has two
purposes: to compress M down to the size of digest which W-1 can
handle and to prevent some potential attacks involving the conversion of
a signature of one message to the signature of a related but unauthorized
message. To verify a signature S of message M with a trapdoor one-way
function, one checks that H(M)=W(S).

[0007] Public-key encryption with a TOWF is somewhat the opposite to
signing. Instead of hashing, an encoding scheme E is used. To encrypt a
message M, one computes a ciphertext C=W(E(M)). To decrypt a ciphertext
C, one computes M=E-1(W-1(C)). The encoding function serves to
adapt M to the size needed for W to be applied, and also to prevent
certain kinds of related message attacks.

[0008] An alternative cryptosystem is based on the difficulty of the
discrete log problem. A particularly robust cryptosystem, which bases its
security on the discrete log problem utilizes elliptic curves and has the
advantage of reduced bandwidth compared with RSA TWOF cryptosystems.

[0009] Whilst elliptic curve cryptosystems reduce the bandwidth compared
to the RSA TOWF, there is still a need to minimize the bandwidth whilst
maintaining the desirable attributes of existing systems. Moreover,
TOWF's do not rely on the random number generator and therefore in some
circumstances may be easier to implement even though the bandwidth
required is greater.

[0010] It is therefore an object of the present invention to provide a
TOWF cryptosystem to obviate or mitigate the above mentioned
disadvantages.

[0011] To facilitate the understanding of the underlying principles of the
present invention, a review of the mathematical basis of these principles
is set forth below.

[0012] An elliptic curve E is the set of points (x, y) that satisfy the
defining equation of the elliptic curve. The defining equation is a
quadratic in y and a cubic in x, and is non-singular. The coordinates x
and y are elements of a field, which is a set of elements that can be
added, subtracted, multiplied, and divided (with the exception of zero
for division). Examples of fields include rational numbers and real
numbers. There are also finite fields, which are the fields most often
used in cryptography. An example of a finite field is the set of integers
modulo a prime q.

[0013] Without the loss of generality, the defining equation of the
elliptic curve can be in the Weierstrass form. When the field F is
derived from the integers modulo a prime q>3, then the Weierstrass
equation takes the form y2=x3+ax+b, where a and b are elements
of the field F.

[0014] The elliptic curve E includes the points (x, y), which are all
solutions to the defining equation, and one further point, namely the
point O at infinity. The elliptic curve E also has a group structure,
which means that the two points P and Q on the curve can be added to form
a third point P+Q. The point O is the identity of the group, meaning
P+O=O+P=P, for all points P. Addition is associative, so that
P+(Q+R)=(P+Q)+R, and commutative, so that P+Q=Q+R, for all points P, Q
and R. Each point P has a negative point -P, such that P+(-P)=O. When the
curve equation is the Weierstrass equation of the form
y2=x3+ax+b, the negative of P=(x, y) is determined easily as
-P=(x, -y). The formula for adding points P and Q in terms of their
coordinates is only moderately complicated involving just a handful of
field operations in the field over which E is defined.

[0015] A rational function r(x,y) in two variables over a field is the
ratio of two polynomials in two variables each over the same field. So
r(x,y)=p(x,y)/q(x,y), where p and q are polynomials in x and y. A
polynomial in x and y is a sum of terms of the form a xm yn,
where a is a field element (possibly depending on m and n), and m and n
are non-negative integers. For example, x2y-3y4+1 is a
polynomial in x and y. For any rational function r(x, y) and field
elements u and v, there is a value of the rational function r(x,y) at the
point (u, v). The value is a field element or the point at infinity, and
is written r(u, v). The value r(u, v) is obtained simply by substituting
each occurrence of the variable x by the field element u and each y by v,
and then evaluating all the field operations such as multiplication,
addition and division. Occasionally division by zero results, which
generally indicates that the value r(u, v) is actually infinity, which is
regarded as an exception because the value is not in the field. Thus, it
is possible to evaluate r(x,y) for points (x,y) on the curve. It is also
possible to define the value of r(x,y) at the point O, this enabling
evaluation of r on each point of the curve.

[0016] A rational map on an elliptic curve E is a pair of rational
functions r(x,y) and s(x,y) such that if (u, v) is a point on E, then (t,
w)=(r(u, v), s(u, v)) is also a point on E. More generally, this needs to
also hold if (u,v) is replaced by O, and furthermore if it is acceptable
for (t, w) to be O, which corresponds to t and w both being infinity.

[0017] Rational maps on elliptic curves can actually be added just like
points on the curve. The addition rules are similar, except that instead
of doing operations with field elements, one instead does operations with
rational functions, that is, with the symbolic functions of x and y.

[0018] A rational map (r, s) on E is considered equivalent to another
rational map (r', s') on E if r is equivalent to r' and s is equivalent
to s', as rational functions on E.

[0019] A special kind of rational map is an endomorphism. An endomorphism
e, is a rational map e=(r, s) with the additive property, that is
e(P+Q)=e(P)+e(Q) for any two points P and Q. An important theorem in
elliptic curve theory says that if e is a rational map with the property
e(O)=O, then e is also an endomorphism. This theorem considerably
simplifies the determination of whether a given rational map is an
endomorphism.

[0020] An important example of an endomorphism is e=[m] which is defined
by e(P)=mP, that is, the sum of m copies of the point P. Because the
addition law for curve E is defined by rational functions, then so is the
iterated sum mP of m copies of P, because these rational functions can be
iterated. Therefore e(P) is a rational map. Because the addition
operation on the curve E is associative, we have
e(P+Q)=m(P+Q)=m(P)+m(Q)=e(P)+e(Q) for e=[m]. Therefore, e is an
endomorphism because it has the additive property.

[0021] If there is an endomorphism different than [m], then E is said to
have complex multiplication. Elliptic curves defined over finite fields
always have complex multiplication. In other words, they always have an
endomorphism e which is different from [m] for all integers m.

[0022] A powerful theorem of elliptic curve theory says that any
endomorphism e is equivalent to a unique rational map of the form (r(x),
cyr'(x)), where r(x) is a rational function of a single variable, c is a
constant field element, and r'(x) is the derivate of r(x). This result is
not at all obvious, but if e is in the form (f(x,y), g(x,y)), it is not
too difficult to determine r(x), as outlined below.

[0023] To illustrate, one replaces each occurrence of y2 in f(x, y)
with a polynomial that is linear or constant in y. For example, if the
curve's defining equation is y2=x3+ax+b, then each y2 can
be replaced by x3+ax+b, which is constant in y. Apply this as many
times as necessary so that the numerator and denominator do not have any
powers of y higher than 1, in other words they are linear in y. The
modified f(x,y) has the form (a(x)+b(x)y)/(c(x)+d(x)y), where a, b, c,
and d are polynomial functions, not to be confused with previous uses of
these variables. The y can be eliminated from the denominator by
multiplying the top and bottom by (c(x)-d(x)y), which gives
c(x)2-d(x)2y2=c(x)2-d(x)2(x3+ax+b) in the
bottom. The y2 in the numerator can also be eliminated. This gives a
form g(x)+h(x)y where g(x) and h(x) are rational functions in x. It can
be proven that h(x)=0, because as e is an endomorphism we have
e(-P)=-e(P), so e(x,-y)=-e(x,y), thus g(x)+h(x)y=g(x)-h(x)y, for all
(x,y) on the curve. So now we have found r(x) as g(x). It is clear that
r(x) found in this way is unique.

[0024] Similarly, the rational function g(x,y) can be expressed as a
linear function h(x)+y k(x) where h(x) and k(x) are rational functions of
x, and it can be shown that h(x)=0 by similar reasons. This means that
k(x) can be determined, which provides a means to find the constant c in
the form (r(x), cyr'(x)). Alternately, c could be found by
differentiating r(x), and then evaluating e at a some point P to solve
for c.

[0025] Every endomorphism has an action on an elliptic curve group that
corresponds to a quadratic algebraic integer. A quadratic algebraic
integer z is a complex number such that z2+uz+v=0 for some integers
u and v. The endomorphism e corresponds to this algebraic integer if
e2+[u]z+[v]=[0], where the addition here is the addition of rational
maps, as explained above. In this case, we can write e=[z], where [ ]
indicates the rational map corresponding to a rational integer.

[0026] All real integers are quadratic algebraic integers, and the
endomorphism [m] corresponds to the integer m. A quadratic algebraic
integer that is not a real integer is the complex number i, the square
root of -1, which satisfies quadratic equation i2+1=0. For each
quadratic algebraic integer that is not a real integer, there are only a
limited set of elliptic curves that have [z] as an endomorphism. Known
results give theoretical procedures for determining such curves, as well
as a way of determining [z] as a rational map.

[0027] Generally, the degree of endomorphism e is the number of points P
such that e(P)=O. More precisely, this is called the separable degree of
e. The actual degree is the product of the separable degree and something
else called the inseparable degree. When e is expressed in its canonical
form as (r(x),cyr'(x)), the degree of the numerator of r(x) is the degree
of e, and the degree of the denominator of r(x) is one less. (Here we
assume the numerator and denominator of r(x) to be co-prime) Furthermore,
for e=[z], we generally have the degree of e as |z|2. The degree of
the endomorphism [m], for example, is thus |m|=m2.

[0028] In conventional elliptic curve cryptography, the endomorphism [m]
is evaluated frequently. The number m represents a private key, and
[m]P=mP represents a public key. The function [m] can be computed
efficiently, even for a large value of m, much faster than one could add
up the m2 terms that would appear in the fully expanded polynomial
forms of the numerator and denominators of r(x) for [m]. The crucial
observation here is that a large degree endomorphism can be efficiently
computed.

[0029] The following example lists every possible endomorphism of degree 2
on any elliptic curve. This list is complete up to equivalence of
rational maps and elliptic curves. These are taken from Silverman's
Advance Topics in the Arithmetic Elliptic Curves (Silverman's).

Notice that z appears as a rational function defining the action of e, so
e is only defined when E is defined over a field F that contains a value
corresponding to z. (This comment also applies to the two endomorphism e
below)

[0033] In one aspect, there is provided a method of generating a digital
signature, the method comprising: obtaining a plurality of messages;
generating a plurality of elliptic curve points by applying a hash
function to each of the plurality of messages and converting each hash to
a respective one of the plurality of elliptic curve points; generating a
summed elliptic curve point by adding together the plurality of elliptic
curve points; and generating the digital signature by applying an inverse
of an endomorphism to the summed elliptic curve point.

[0034] In another aspect, there is provided a non-transitory computer
readable medium comprising computer executable instructions for
generating a digital signature, the computer executable instructions
comprising instructions for: obtaining a plurality of messages;
generating a plurality of elliptic curve points by applying a hash
function to each of the plurality of messages and converting each hash to
a respective one of the plurality of elliptic curve points; generating a
summed elliptic curve point by adding together the plurality of elliptic
curve points; and generating the digital signature by applying an inverse
of an endomorphism to the summed elliptic curve point.

[0035] In yet another aspect, there is provided a cryptographic module
comprising a processor and memory, the memory storing computer executable
instructions for generating a digital signature by operating the
processor to: obtain a plurality of messages; generate a plurality of
elliptic curve points by applying a hash function to each of the
plurality of messages and converting each hash to a respective one of the
plurality of elliptic curve points; generate a summed elliptic curve
point by adding together the plurality of elliptic curve points; and
generate the digital signature by applying an inverse of an endomorphism
to the summed elliptic curve point.

[0036] In yet another aspect, there is provided a method of verifying a
digital signature, the method comprising: receiving a plurality of
messages and a digital signature of the plurality of messages; generating
a plurality of elliptic curve points by applying a hash function to each
of the plurality of messages and converting each hash to a respective one
of the plurality of elliptic curve points; generating a summed elliptic
curve point by adding together the plurality of elliptic curve points;
and verifying the digital signature if the summed elliptic curve point is
equivalent to a value obtained by applying an endomorphism to the digital
signature.

[0037] In yet another aspect, there is provided a non-transitory computer
readable medium comprising computer executable instructions for verifying
a digital signature, the computer executable instructions comprising
instructions for: receiving a plurality of messages and a digital
signature of the plurality of messages; generating a plurality of
elliptic curve points by applying a hash function to each of the
plurality of messages and converting each hash to a respective one of the
plurality of elliptic curve points; generating a summed elliptic curve
point by adding together the plurality of elliptic curve points; and
verifying the digital signature if the summed elliptic curve point is
equivalent to a value obtained by applying an endomorphism to the digital
signature.

[0038] In yet another aspect, there is provided a cryptographic module
comprising a processor and memory, the memory storing computer executable
instructions for verifying a digital signature by operating the processor
to: receive a plurality of messages and a digital signature of the
plurality of messages; generate a plurality of elliptic curve points by
applying a hash function to each of the plurality of messages and
converting each hash to a respective one of the plurality of elliptic
curve points; generate a summed elliptic curve point by adding together
the plurality of elliptic curve points; and verify the digital signature
if the summed elliptic curve point is equivalent to a value obtained by
applying an endomorphism to the digital signature.

BRIEF DESCRIPTION OF THE DRAWINGS

[0039] Embodiments of the invention will now be described by way of
example only with reference to the accompanying drawings, in which:

[0040] FIG. 1 is a schematic representation of a cryptographic exchange
scenario.

[0041] FIG. 2 is a schematic representation showing an application of a
trapdoor one-way function.

[0042] FIG. 3 is a schematic representation showing an application of the
trapdoor one-way function of FIG. 2 for encryption.

[0043] FIG. 4 is a schematic representation showing an application of the
trapdoor one-way function of FIG. 2 for digital signatures.

[0044] FIG. 5 is a schematic representation showing an application of the
trapdoor one-way function of FIG. 2 for aggregated signatures.

[0045] FIG. 6 is a schematic representation showing an application of the
trapdoor one-way function of FIG. 2 for aggregated signatures with a
single message and multiple trapdoor one-way functions for multiple
signers.

DETAILED DESCRIPTION OF THE INVENTION

[0046] Referring therefore to FIG. 1, a cryptosystem 10 has a first entity
12, and a second entity 14 that communicate via a communication channel
16. The first entity 12 and second entity 14 each have a cryptographic
module 15 that applies public key functions or private key functions 18
available to both entities 12, 14. Each entity 12, 14 will utilize the
key functions 18 with the TOWF to obtain encryption/decryption or
signing/verifying as described above.

[0047] In order to implement such a system, it is necessary to determine a
suitable TOWF with corresponding public key functions and private key
functions. The inventors have recognized that a suitable TOWF may be
obtained by use of a quadratic algebraic integer z. One then finds a
curve E and rational map defining [z] on E. The rational map [z] is the
TOWF. Judicious selection of z will ensure that it has the necessary
cryptographic attributes, namely: [0048] (a) [z] can be efficiently
computed [0049] (b) that [z] is difficult to invert [0050] (c)
determination of z from the rational functions defining [z] is difficult,
and [0051] (d) knowledge of z allows one to invert [z] on a certain set
of elliptic curve points.

[0052] More generally, one can use a rational map r between two different
curves E and E'. The rational map can be used as a TOWF. For ease of
implementation, however, it is more convenient to use E=E'. A rational
map from E to E is the preferred implementation.

[0053] Because every rational map (i.e. from E to E) is a composition of a
translation and an endomorphism, where the translation is easy to
determine and invert, the most secure part of the rational map is the
endomorphism. Therefore an endomorphism is the preferred implementation
of the rational map.

[0054] The inventors have recognized that one potential way to calculate
the trapdoor inverse, for inverting z, is to use the quadratic equation
for z: z2+uz+v=0, where u and v are integers. Dividing this equation
by vz gives (z +u)/v+(1/z)=0. Hence (1/z)=-(z+u)/v. Now, (1/z) is not
generally a quadratic algebraic integer. More precisely, if z has degree
greater than 1, then (1/z) is not a quadratic algebraic integer.
Therefore, there is no endomorphism that inverts [z]. Instead there is a
dual endomorphism [z']=[-(z+u)], which satisfies [z][z']=[v]. In a
specific field F, the order n of the elliptic curve E can sometimes be
relatively prime to v, which means there is an integer w such that wv=1
mod n. This means that [w] acts as an inverse of [v] for the points of E
defined over F.

[0055] In this case, the action of [z] on E(F) is invertible by the
endomorphism [w][z]=[-w(z+u)]. If [z] can be found efficiently, then it
is likely that [-w(z+u)] can as well. An alternate expression for this is
[-w]([u]+[z]).

[0056] Accordingly, it is possible to utilize the endomorphism [z] as the
public key operation and the relationship [-w]([u]+[z]) as the private
key operation.

[0057] The integers u, v are maintained secret and are only available to
the entity performing the private key function.

[0058] It will be appreciated that this will be specific to the field F
and will not be true for E defined over another field F'. The points of E
defined over F are sometimes indicated as E(F) to emphasize that points
with coordinates outside of F are not under consideration.

[0059] In order for [z] to be a trapdoor one-way function, it should be
computationally infeasible to determine u and v from the public
definition of [z], otherwise its inverse on E(F) is efficiently
computable as [-w]([u]+[z]). Therefore, [z] needs to be given in a form
that does not allow an easy determination of u and v.

[0060] By providing [z] as a pair of rational functions, it is believed
that u and v cannot easily be determined. Typically, the first coordinate
is a function of x only, so that [z] is somewhat in canonical form (r(x),
g(x, y)), then the description for evaluating r(x) may potentially reveal
the degree of the numerator of r(x), even though the full expansion of
r(x) as a ratio of two polynomials may be infeasible due to the large
number of terms. Since the degree of [z] is v, it is possible that the
description of [z] will reveal v. Therefore, to make sure that [z] is a
one-way trapdoor, it is important to ensure that u is also not revealed,
otherwise [z] could be inverted, as described above.

[0061] According to Silverman's, determining the endomorphism ring of a
general elliptic curve is a non-trivial problem. Since v and u
essentially determine the endomorphism ring, up to an integer factor, it
is generally infeasible to determine v and u from a description of the
elliptic curve alone. It is therefore plausible that from the description
of a single complex endomorphism, it is still a non-trivial problem to
determine the endomorphism ring. In particular, this means it is still
plausible that determining u from the description of [z] as a pair of
rational functions is a non-trivial problem.

[0062] Accordingly, the degree of z should be chosen such that it has a
reasonably large order. This helps to ensure that all possible values of
u cannot be exhausted using the relationship u2<4v. This follows
from above, because z must be an imaginary complex number.

[0063] One possible construction for [z] is based on the following
observations. As discussed above, if e=[z]=(r(x),cyr'(x)) has degree m,
then r(x)=p(x)/q(x) where p and q are polynomials of degree m and m-1
respectively. The kernel of e is the set of m points elliptic O=Z1,
Z2, . . . , Zm, such that e(Zj)=O for j from 1 to m. If
Zj=(zj, yj) for j from 2 to m, then it can be assumed that
q(x)=(x-z2) (x-z3) . . . (x-zm). Moreover, mZj=O,
since [z'][z]=[m] where z' is the conjugate of z as determined above as
mZj=[m]Zj=[z'][z]Zj=[z']O=O. Furthermore, the kernel of e
is a subgroup of order m in the elliptic curve E, though not necessarily
as a part of E(F). The elliptic curve, as a whole, generally has at least
m+1 such subgroups.

[0064] Next, consider the elliptic curve containing the point B=(0, b).
Suppose that there is some point W such that [z]W=B. Let
Wj=W+Zj for j from 1 to m. (Note W1=W+Z1=W+O=W)
Suppose that Wj=(wj, uj) for j=1 to m. Then p(x)=d(x-w1) (x-w2)
. . . (x-wm) for some constant d.

[0065] Notice that p(x)=d(x-w1)u(x) where the roots of u(x) are
essentially a rational function of the roots of q(x). When the roots of
two polynomials have a simple relationship such as this, there is a
transformation of the coefficients of the polynomial. For example if the
roots of u(x) are the squares of the roots of q(x) then u(x)=q( x)q(-
x)(-1)deg q(x). In this way, it is seen that the ability to evaluate
q(x) provides a means to evaluate u(x).

[0066] Applying the above observations, one may search for a subgroup of
order m in some elliptic curve E, whose finite x-coordinates are the
zeros of a low Hamming Weight polynomial q(x). It is desirable to have a
low Hamming Weight polynomial q(x) because they are efficient to
evaluate. One would then find a point W as mentioned above, which allows
one to compute the numerator p(x) efficiently, as outlined above. Once
p(x) and q(x) can be evaluated, then r(x) can be evaluated.

[0067] An illustration of how one may find such polynomials p(x), q(x) is
as follows. Note that if Zj is in the kernel of [z] then so is
-Zj and thus zj can appear as a double root of q(x). Suppose
that q(x) has a degree m that is prime. Suppose further that m is an
Elkies prime, the precise meaning of which is not a concern for the
following discussion. This means that q(x)=s(x)2 for a polynomial
s(x) of degree (m-1)/2, which is a factor of the mth division
polynomial. The Schoof-Elkies-Atkin (SEA) algorithm for counting points
on an elliptic curve E(F) includes a step where a polynomial of the form
s(x) is found. The coefficients of the polynomial v(x) are found by a
recursion equation. Therefore, methods are known for constructing such a
polynomial. In the SEA algorithm, such s(x) are found for relatively
small values of m, but for the present purpose, it is advantageous to
make m large.

[0068] Another possible approach is to choose an irreducible polynomial
s(x) of low Hamming weight. Let z be one of its roots, where z is the
x-coordinate of some point over the elliptic curve E. The point may have
a finite order m. This finite order will hold for any root z of s(x), by
applying Galois automorphisms. If it is also the case that these points
arising from the roots of s(x) are closed under, that is, they form a
subgroup of E, then s(x) has the desired form. For this to happen, we
would basically need a Galois automorphism g and a point P on E such that
g(P)=2P. By searching for a g, P, and E such that this is possible, one
may be able to find a polynomial s(x) of the desired form. In practice,
the y-coordinate can be ignored because it can only take one of two
values.

[0069] If the endomorphism's kernel intersects the group E(F) at only the
point O, then the action of the endomorphism e on the group E(F) is
invertible. In this case, the endomorphism e is an automorphism of the
group E(F). Generally the group E(F) will be cyclic, and in the following
discussion, we assume that E(F) is cyclic. If e is an automorphism of a
cyclic group of order n, then an algorithm realized by the inventors
determines an integer d such that e(G)=dG, where one uses additive
notation for the group. The cost of this algorithm depends on the
factorization of n-1. It is known that random values of n generally have
a factor f that is approximately n1/3. Given a factor of this size,
the algorithm can determine d in a constant multiple of f steps. This is
considerably faster than the generic algorithms for finding d given dG.
These generic algorithms take n1/2 steps.

[0070] Therefore, it is desirable that the group E(F) has order n such
that n-1 does not have a factor f near to n1/3. An alternative to
choosing n in this way is simply to choose n slightly larger, so that
cost of an attack of n1/3 is out of reach for the adversaries under
consideration. For example, at a security level of 80 bits, such a larger
n could be chosen so that n is approximately 2240, and at a security
level of 128 bits, n could be chosen so that n is approximately
2384. However, for efficiency reasons it is preferable to use a
smaller n, and therefore it is presumed that the extra work necessary to
ensure n-1 has a size similar to n1/3 will be undertaken.

[0071] The manner in which an endomorphism e would be used is generally
shown in FIG. 2. The first entity 12 takes an x value. It could choose
one of the two corresponding y values arbitrarily. It would then apply
the public key function [z] as a rational map e=(r(x), g(x,y)) and
evaluate e(x, y) to arrive at some value (x', y'). This would be the
basic public key operation. A second entity 14 receives the message (x',
y') and then applies e-1 to get the value (x, y). This would be the
basic private key operation [-w]([u]+[z]). Notice that if y is changed to
-y, the y' changes to -y', but x' and x are unaffected. Therefore y can
more or less be ignored for all practical purposes.

[0072] To apply this to encryption as shown in FIG. 3, the first entity 12
sets x to the plaintext and x' to the ciphertext by application of the
public key function [z]. Known sophisticated approaches to public key
encryption generally apply some randomized padding to the plaintext x, so
that, among other things, repeated encryption of the same plaintext give
different ciphertexts. The second entity 14 decrypts the ciphertext x'
using the private key function to obtain plaintext x.

[0073] To apply this to signatures as shown in FIG. 4, the second entity
14 sets x' to be the message to be signed, and computes x as the
signature by application of the private key function. Generally some
hashing is used to create x' from a longer message, which is a standard
technique for digital signatures. The first entity 12 uses the public key
operation e to confirm that e(x, y)=(x', y'). The hash function is
one-way, so the first entity cannot forge a signature by starting from
(x, y) and applying e to get (x', y'), because the next step would be to
find a message M, such that x'=Hash (M), which is considered infeasible
for a one-way hash function.

[0074] If the problem of inverting [z] is as hard as the discrete
logarithm problem in E, then the size of the cryptographic group can be
smaller than the group used for the RSA TOWF. For example, a 3072 bit RSA
modulus is consider to be roughly as secure as an elliptic curve defined
over a 256-bit field. The security level of both these objects is
considered to be 128 bits, which is a commercial grade security level now
most widely used across the Internet, such as for online banking. The
elliptic curve trapdoor one-way function [z], the size of signature x or
basic ciphertext x' is 256 bits, whereas for RSA the size is 3072 bits.

[0075] Comparing to conventional elliptic curve cryptography (ECC), a
signature for a 256-bit elliptic curve is about 512 bits long, which is
twice the size of the signature for an elliptic curve TOWF. A similar
savings is possible for encryption.

[0076] In another embodiment and application of the present invention the
TOWF is applied to the aggregation of signatures or ciphertexts. The
following will be explained for signatures, but it will be appreciated
that the details for ciphertexts are quite similar.

[0077] Aggregation of signatures means a single signature represents a
multiplicity of messages signed by a single signer, or a single message
signed by a multiplicity of signers, or a multiplicity of messages signed
by a multiplicity of signers.

[0078] Referring now to FIG. 5, to sign t messages m1, m2, . . .
, mt a signer (e.g. first entity 12) hashes each message and
converts each hash to an elliptic curve point, yielding t points P1,
. . . , Pt which are then added together to yield a point P=P1+
. . . +Pt. The signer then applies the inverse function e-1 to
obtain the signature S=e-1(P), which is a single message for
multiple messages. Verification by another entity (e.g. second entity 14)
consists then of hashing the messages, converting each hash to a point,
summing to a total P, and then applying the public key 18 operation e to
S by checking if e(S)=P. The advantage of doing this over simply
concatenating the messages is to achieve greater flexibility for the
signer wishing to change parts of the message, because the signing is
additive.

[0079] The procedure described above does not impose an order of signing
individual message components, i.e., signature verification is relative
to an (unordered) set of signatures signed by the same entity. It should
be noted, however, that this procedure can easily be generalized towards
weighted sums of individual signatures, rather than the sum of individual
signature components S1, . . . , St, provided that the
individual scalar multiples (the `weights`) can be retrieved or derived
by the verifying entity. This would allow the enforcement of ordering in
the signing process of these t messages, by making the weights dependent
on the applicable ordering.

[0080] Referring now to FIG. 6, if t different signers (e.g. collectively
the first entity 12) use the same elliptic curve group and have different
TOWF e1, . . . , et, then they may form an aggregate signature
of a single message as follows. To sign a message m, the first signer of
the first entity 12 computes a hash of the message and convert the hash
to an elliptic curve point P. Then they together (i.e. all signers of the
first entity 12) compute et-1(et-1-1( . . .
(e1-1(P)))), by each applying their private key operation,
where signing takes place by entities 1, 2, . . . , t in order.
Verification (e.g. by the second entity 14) consists of applying each of
the corresponding public key 18 operations, in reverse order, and
checking whether the resulting point P corresponds to the hash value of
the signed message m.

[0081] Generally, elliptic curve endomorphisms commute, so the order in
which signing of a single message by multiple entities seems irrelevant.
It should be noted, however, that this procedure can easily be
generalized such as to enforce an ordering in the signing process. This
can be realized by, for example, having each signing entity apply an
offset to the signature computed, as described below.

[0082] Suppose the individual signature by entity i on point P is
ei-1(P+Ai), where the elliptic curve point Ai is
unique for entity i. Then the ordered aggregate signature over message m
by entities 1, 2, . . . , t is obtained by hashing m and converting this
to the elliptic curve point P (as before), and subsequently having each
of the signing entities apply his own signing operation on the resulting
value. This results in S1=e1-1(P+A1),
S2=e2-1(S1+A2), . . . ,
St=et-1(St-1+At), where St is the resulting
aggregate signature. Signature verification is now a trivial modification
of the procedure described above, provided the individual offsets
A1, . . . , At can be retrieved or derived by the verifying
entity and depends on computing the sequence
St-1=et(St)-At,
St-2=et(St-1)-At-1, . . . ,
S1=e2(S2)-A2, P=e1(S1)-A1 and checking
whether the elliptic curve point P corresponds with the hash value of the
signed message m.

[0083] Above, a modification of the original scheme is described such as
to enforce an ordering of the signing process using offsets Ai that
are unique for each of the signing entities. It will be seen that
variations hereof are possible, such as defining
Si=ei-1(f(P,i)) rather than
Si=ei-1(P+Ai), where f is a mapping on E with the
property that one can efficiently re-compute P from f(P,i) and public
information associated with signing entity i. The ordered signing of a
single message by multiple entities could be useful for signing off, for
example, projects in a large organization, where multiple signatures are
required and a project needs to be signed off by authorized parties
involved in a particular hierarchical order (e.g., bottom-up).

[0084] Although the invention has been described with reference to certain
specific embodiments, various modifications thereof will be apparent to
those skilled in the art without departing from the spirit and scope of
the invention as outlined in the claims appended hereto. The entire
disclosures of all references recited above are incorporated herein by
reference.